[Pkg-freeipa-devel] [Git][freeipa-team/tomcatjss][master] 42 commits: Refactored JSSListener
Timo Aaltonen
gitlab at salsa.debian.org
Tue Jul 28 18:17:52 BST 2020
Timo Aaltonen pushed to branch master at FreeIPA packaging / tomcatjss
Commits:
47c4124a by Endi S. Dewata at 2019-04-29T12:24:44-05:00
Refactored JSSListener
The methods that loads JSS configuration has been moved from
JSSListener into TomcatJSS class for reusability.
- - - - -
a8b99c61 by Alexander Scheel at 2019-05-07T09:23:53-04:00
Update to F30 in Travis, removing F28
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
d7222c2e by Endi S. Dewata at 2019-06-12T13:15:09-05:00
Updated version number to 7.4.1-1
- - - - -
fb11bcd4 by Alexander Scheel at 2019-06-24T11:29:38-04:00
Use JSSKeyManager and JSSTrustManager from JSS
With jss-pr#159 merged, we've added a KeyManager and TrustManager to the
JSS default provider that we should use instead of the instances
in-tree.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
38af75a4 by Timo Aaltonen at 2019-07-29T11:57:57+03:00
Merge branch 'upstream'
- - - - -
ab7929ad by Timo Aaltonen at 2019-07-29T12:03:39+03:00
bump the version
- - - - -
7db41d92 by Timo Aaltonen at 2019-07-29T12:06:04+03:00
releasing package tomcatjss version 7.4.1-1
- - - - -
f229c673 by Dinesh Prasanth M K at 2019-08-08T17:24:05-04:00
Spec update
Bumping min requirement for jss to 4.6.0
Signed-off-by: Dinesh Prasanth M K <dmoluguw at redhat.com>
- - - - -
35a49037 by Endi S. Dewata at 2019-08-21T18:39:25-05:00
Removed conflict with tomcat-native
The spec file has been modified to remove the conflict with
tomcat-native since it can be avoided by specifying the
protocol class and sslImplementationName in the server.xml.
- - - - -
996721df by Alexander Scheel at 2020-04-02T13:28:20-04:00
Update Travis CI to use Fedora 31
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
88e33c42 by Alexander Scheel at 2020-04-02T16:07:47-04:00
Support JSS-based SSLEngine
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
4b557785 by Alexander Scheel at 2020-04-30T10:24:00-04:00
Bump JSS dependency for SSLEngine
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
8e93fb8a by Alexander Scheel at 2020-04-30T10:24:00-04:00
Simplify cipher and protocol support
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
d91b1381 by Alexander Scheel at 2020-04-30T10:24:00-04:00
Bump TomcatJSS version to 7.5.0 alpha 1
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
cc7d3b28 by Alexander Scheel at 2020-04-30T10:38:55-04:00
Add GitHub actions CI
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
c929379b by Alexander Scheel at 2020-04-30T10:38:55-04:00
Remove legacy travis CI
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
385291c4 by Alexander Scheel at 2020-04-30T13:27:59-04:00
Make protocols, ciphers unmodifiable
Also move initialization out of the constructor; JSSUtil's super
(SSLBaseUtil) calls getSupportedProtocols/getSupportedCiphers.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
f7129436 by Alexander Scheel at 2020-04-30T16:07:57-04:00
Make protocols, cipher suites static
Because of the way initialization happens in Java, the previous method
wouldn't work because they got initialized AFTER the super's constructor
had executed. Making them static ensures they get executed prior to
super's constructor executing.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
6761d9dc by Alexander Scheel at 2020-05-05T15:46:03-04:00
Make TomcatJSS use both SunJSSE and Mozilla-JSS
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
5b5f8723 by Alexander Scheel at 2020-05-05T17:35:08-04:00
Only set certificate on JSSEngine
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
a51952ba by Alexander Scheel at 2020-05-07T13:00:45-04:00
Add %license for LICENSE file
See: https://pagure.io/packaging-committee/issue/411
See: https://docs.fedoraproject.org/en-US/packaging-guidelines/LicensingGuidelines/
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
2df0785c by Alexander Scheel at 2020-05-18T14:36:31-04:00
Fix Cipher, Protocol list for JSSE SSLEngines
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
23655272 by Alexander Scheel at 2020-05-18T14:36:31-04:00
Fix JSSEngine usage
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
ea539175 by Endi S. Dewata at 2020-05-26T21:39:57-05:00
Updated version number to 7.5.0-0.1 (alpha 1)
- - - - -
600a793c by Timo Aaltonen at 2020-05-27T23:55:40+03:00
Merge branch 'upstream-next' into master-next
- - - - -
8f20fc24 by Timo Aaltonen at 2020-05-28T00:32:52+03:00
bump the version
- - - - -
b1d1af36 by Timo Aaltonen at 2020-05-28T00:33:07+03:00
watch: Updated.
- - - - -
e4b33896 by Timo Aaltonen at 2020-05-28T00:39:47+03:00
control: Bump libjss-java dependencies to 4.7.0~.
- - - - -
1b40c9cf by Timo Aaltonen at 2020-05-28T00:50:17+03:00
releasing package tomcatjss version 7.5.0~a1-1
- - - - -
54e26482 by Alexander Scheel at 2020-06-25T14:05:45-04:00
Use factory for JSSKeyManager, JSSTrustManager
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
2d69238a by Endi S. Dewata at 2020-07-02T15:54:48-05:00
Updated build.sh to generate UTC timestamp
The build.sh has been modified to generate UTC timestamp such
that it is consistent across different time zones.
- - - - -
1b3c9c04 by Alexander Scheel at 2020-07-06T09:49:05-04:00
Updated version number to 7.5.0-0.4 (beta 2)
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
- - - - -
f23c5e40 by Timo Aaltonen at 2020-07-07T10:25:43+03:00
Merge branch 'upstream-next' into master-next
- - - - -
aefe297e by Timo Aaltonen at 2020-07-07T10:26:41+03:00
bump the version
- - - - -
f90ed0ea by Timo Aaltonen at 2020-07-07T10:27:06+03:00
control: Bump to debhelper-compat 12.
- - - - -
a7eddb59 by Timo Aaltonen at 2020-07-07T10:28:04+03:00
control: Bump policy to 4.5.0.
- - - - -
34a0993b by Endi S. Dewata at 2020-07-09T13:58:38-05:00
Updated version number to 7.5.0-1
- - - - -
b8b7a28b by Timo Aaltonen at 2020-07-28T11:57:08+03:00
rules: Specify the location of tomcat9-util.jar.
- - - - -
db934134 by Timo Aaltonen at 2020-07-28T11:57:35+03:00
Merge branch 'upstream' into master-next
- - - - -
dc215a6c by Timo Aaltonen at 2020-07-28T11:57:58+03:00
bump the version
- - - - -
52c0f803 by Timo Aaltonen at 2020-07-28T14:15:35+03:00
control: Bump tomcat9 build-dep to fix ftbfs.
- - - - -
73ec485e by Timo Aaltonen at 2020-07-28T20:13:05+03:00
releasing package tomcatjss version 7.5.0-1
- - - - -
17 changed files:
- + .github/workflows/required.yml
- − .travis.yml
- build.sh
- build.xml
- debian/changelog
- − debian/compat
- debian/control
- debian/rules
- debian/watch
- src/org/apache/tomcat/util/net/jss/TomcatJSS.java
- − src/org/dogtagpki/tomcat/JSSKeyManager.java
- src/org/dogtagpki/tomcat/JSSListener.java
- − src/org/dogtagpki/tomcat/JSSTrustManager.java
- + tomcat-8.5/src/org/dogtagpki/tomcat/JSSContext.java
- tomcat-8.5/src/org/dogtagpki/tomcat/JSSImplementation.java
- tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
- tomcatjss.spec
Changes:
=====================================
.github/workflows/required.yml
=====================================
@@ -0,0 +1,20 @@
+name: Required Tests
+
+on: [push, pull_request]
+
+jobs:
+ test:
+ runs-on: ubuntu-latest
+ container: ${{ matrix.image }}
+ strategy:
+ matrix:
+ image: ['fedora:30', 'fedora:31']
+ steps:
+ - run: dnf install -y dnf-plugins-core gcc make rpm-build git
+ - name: Clone the repository
+ uses: actions/checkout at v2
+ - run: dnf copr -y enable ${TOMCATJSS_7_4_REPO:- at pki/master}
+ - run: dnf builddep -y --spec tomcatjss.spec
+ - run: dnf remove -y tomcat-native
+ - run: ./build.sh --with-timestamp --with-commit-id --work-dir=../packages rpm
+ - run: rpm -Uvh ../packages/RPMS/*
=====================================
.travis.yml deleted
=====================================
@@ -1,28 +0,0 @@
-# BEGIN COPYRIGHT BLOCK
-# (C) 2018 Red Hat, Inc.
-# All rights reserved.
-# END COPYRIGHT BLOCK
-
-services:
- - docker
-
-env:
- - FEDORA=28
- - FEDORA=29
-
-install:
- - docker pull registry.fedoraproject.org/fedora:$FEDORA
- - docker run
- --name=container
- --detach
- -i
- -v $(pwd):/root/tomcatjss
- registry.fedoraproject.org/fedora:$FEDORA
- - docker exec container dnf install -y dnf-plugins-core gcc make rpm-build
- - docker exec container dnf copr -y enable ${TOMCATJSS_7_4_REPO:- at pki/master}
- - docker exec container dnf builddep -y --spec /root/tomcatjss/tomcatjss.spec
- - docker exec container dnf remove -y tomcat-native
- - docker exec container /root/tomcatjss/build.sh --with-timestamp --with-commit-id rpm
-
-script:
- - docker exec container rpm -Uvh /root/build/tomcatjss/RPMS/*
=====================================
build.sh
=====================================
@@ -226,7 +226,7 @@ if [ "$DEBUG" = true ] ; then
fi
if [ "$WITH_TIMESTAMP" = true ] ; then
- TIMESTAMP="`date +"%Y%m%d%H%M%S"`"
+ TIMESTAMP="$(date -u +"%Y%m%d%H%M%S%Z")"
_TIMESTAMP=".$TIMESTAMP"
fi
=====================================
build.xml
=====================================
@@ -37,8 +37,8 @@
<property name="Name" value="Tomcat JSS"/>
<property name="name" value="tomcatjss"/>
- <property name="version" value="7.3.0"/>
- <property name="manifest-version" value="${version}"/>
+ <property name="version" value="7.5.0"/>
+ <property name="manifest-version" value="${version}-a1"/>
<!--
Set the properties that control various build options
=====================================
debian/changelog
=====================================
@@ -1,3 +1,27 @@
+tomcatjss (7.5.0-1) unstable; urgency=medium
+
+ * New upstream release.
+ * control: Bump to debhelper-compat 12.
+ * control: Bump policy to 4.5.0.
+ * rules: Specify the location of tomcat9-util.jar.
+ * control: Bump tomcat9 build-dep to fix ftbfs.
+
+ -- Timo Aaltonen <tjaalton at debian.org> Tue, 28 Jul 2020 14:15:37 +0300
+
+tomcatjss (7.5.0~a1-1) experimental; urgency=medium
+
+ * New upstream prerelease.
+ * watch: Updated.
+ * control: Bump libjss-java dependencies to 4.7.0~.
+
+ -- Timo Aaltonen <tjaalton at debian.org> Thu, 28 May 2020 00:39:50 +0300
+
+tomcatjss (7.4.1-1) unstable; urgency=medium
+
+ * New upstream release.
+
+ -- Timo Aaltonen <tjaalton at debian.org> Mon, 29 Jul 2019 12:03:59 +0300
+
tomcatjss (7.4.0-2) unstable; urgency=medium
* Upload to unstable.
=====================================
debian/compat deleted
=====================================
@@ -1 +0,0 @@
-11
=====================================
debian/control
=====================================
@@ -5,14 +5,14 @@ Maintainer: Debian FreeIPA Team <pkg-freeipa-devel at alioth-lists.debian.net>
Uploaders: Timo Aaltonen <tjaalton at debian.org>
Build-Depends:
ant,
- debhelper (>= 11),
+ debhelper-compat (= 12),
default-jdk,
javahelper,
libcommons-lang-java,
- libjss-java (>= 4.5.3),
+ libjss-java (>= 4.7.0~),
libslf4j-java,
- libtomcat9-java,
-Standards-Version: 4.1.4
+ libtomcat9-java (>= 9.0.37-2~),
+Standards-Version: 4.5.0
Homepage: http://pki.fedoraproject.org
Vcs-Git: https://salsa.debian.org/freeipa-team/tomcatjss.git
Vcs-Browser: https://salsa.debian.org/freeipa-team/tomcatjss.git
@@ -21,7 +21,7 @@ Package: libtomcatjss-java
Architecture: all
Depends: libtomcat9-java, ${java:Depends}, ${misc:Depends},
libcommons-lang-java,
- libjss-java (>= 4.5.0),
+ libjss-java (>= 4.7.0~),
libslf4j-java,
Conflicts: libtcnative-1
Breaks: pki-server (<< 10.3.5-2)
=====================================
debian/rules
=====================================
@@ -14,6 +14,7 @@ override_dh_auto_build:
-Dtomcat-api.jar=/usr/share/java/tomcat9-api.jar \
-Dtomcat-coyote.jar=/usr/share/java/tomcat9-coyote.jar \
-Dtomcat-juli.jar=/usr/share/java/tomcat9-juli.jar \
+ -Dtomcat-util.jar=/usr/share/java/tomcat9-util.jar \
-Dinstall.doc.dir=build/usr/share/doc/tomcatjss \
-Dinstall.jar.dir=build/usr/share/java \
-Dslf4j-api.jar=/usr/share/java/slf4j-api.jar \
=====================================
debian/watch
=====================================
@@ -1,4 +1,4 @@
version=4
-opts="filenamemangle=s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%tomcatjss-$1.tar.gz%" \
+opts="uversionmangle=s/-/~/,filenamemangle=s%(?:.*?)?v at ANY_VERSION@\.tar\.gz%tomcatjss-$1.tar.gz%" \
https://github.com/dogtagpki/tomcatjss/tags \
- (?:.*?/)?v?(\d[\d.]*)\.tar\.gz
+ (?:.*?/)?v at ANY_VERSION@\.tar\.gz
=====================================
src/org/apache/tomcat/util/net/jss/TomcatJSS.java
=====================================
@@ -20,6 +20,7 @@
package org.apache.tomcat.util.net.jss;
import java.io.File;
+import java.io.FileReader;
import java.io.IOException;
import java.net.SocketException;
import java.nio.file.Files;
@@ -27,8 +28,15 @@ import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Enumeration;
+import java.util.Properties;
import java.util.StringTokenizer;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathFactory;
+
import org.apache.commons.lang.StringUtils;
import org.mozilla.jss.CryptoManager;
import org.mozilla.jss.InitializationValues;
@@ -48,6 +56,8 @@ import org.mozilla.jss.util.IncorrectPasswordException;
import org.mozilla.jss.util.Password;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
public class TomcatJSS implements SSLSocketListener {
@@ -291,6 +301,194 @@ public class TomcatJSS implements SSLSocketListener {
this.tlsCiphers = tlsCiphers;
}
+ public void loadJSSConfig(String jssConf) throws Exception {
+ File configFile = new File(jssConf);
+ loadJSSConfig(configFile);
+ }
+
+ public void loadJSSConfig(File configFile) throws Exception {
+
+ Properties config = new Properties();
+ config.load(new FileReader(configFile));
+
+ loadJSSConfig(config);
+ }
+
+ public void loadJSSConfig(Properties config) throws Exception {
+
+ String certDb = config.getProperty("certdbDir");
+ if (certDb != null)
+ setCertdbDir(certDb);
+
+ String passwordClass = config.getProperty("passwordClass");
+ if (passwordClass != null)
+ setPasswordClass(passwordClass);
+
+ String passwordFile = config.getProperty("passwordFile");
+ if (passwordFile != null)
+ setPasswordFile(passwordFile);
+
+ String enableOCSP = config.getProperty("enableOCSP");
+ if (enableOCSP != null)
+ setEnableOCSP(Boolean.parseBoolean(enableOCSP));
+
+ String ocspResponderURL = config.getProperty("ocspResponderURL");
+ if (ocspResponderURL != null)
+ setOcspResponderURL(ocspResponderURL);
+
+ String ocspResponderCertNickname = config.getProperty("ocspResponderCertNickname");
+ if (ocspResponderCertNickname != null)
+ setOcspResponderCertNickname(ocspResponderCertNickname);
+
+ String ocspCacheSize = config.getProperty("ocspCacheSize");
+ if (StringUtils.isNotEmpty(ocspCacheSize))
+ setOcspCacheSize(Integer.parseInt(ocspCacheSize));
+
+ String ocspMinCacheEntryDuration = config.getProperty("ocspMinCacheEntryDuration");
+ if (StringUtils.isNotEmpty(ocspMinCacheEntryDuration))
+ setOcspMinCacheEntryDuration(Integer.parseInt(ocspMinCacheEntryDuration));
+
+ String ocspMaxCacheEntryDuration = config.getProperty("ocspMaxCacheEntryDuration");
+ if (StringUtils.isNotEmpty(ocspMaxCacheEntryDuration))
+ setOcspMaxCacheEntryDuration(Integer.parseInt(ocspMaxCacheEntryDuration));
+
+ String ocspTimeout = config.getProperty("ocspTimeout");
+ if (StringUtils.isNotEmpty(ocspTimeout))
+ setOcspTimeout(Integer.parseInt(ocspTimeout));
+
+ String strictCiphers = config.getProperty("strictCiphers");
+ if (strictCiphers != null)
+ setStrictCiphers(strictCiphers);
+
+ String sslVersionRangeStream = config.getProperty("sslVersionRangeStream");
+ if (sslVersionRangeStream != null)
+ setSslVersionRangeStream(sslVersionRangeStream);
+
+ String sslVersionRangeDatagram = config.getProperty("sslVersionRangeDatagram");
+ if (sslVersionRangeDatagram != null)
+ setSslVersionRangeDatagram(sslVersionRangeDatagram);
+
+ String sslRangeCiphers = config.getProperty("sslRangeCiphers");
+ if (sslRangeCiphers != null)
+ setSslRangeCiphers(sslRangeCiphers);
+
+ String sslOptions = config.getProperty("sslOptions");
+ if (sslOptions != null)
+ setSslOptions(sslOptions);
+
+ String ssl2Ciphers = config.getProperty("ssl2Ciphers");
+ if (ssl2Ciphers != null)
+ setSsl2Ciphers(ssl2Ciphers);
+
+ String ssl3Ciphers = config.getProperty("ssl3Ciphers");
+ if (ssl3Ciphers != null)
+ setSsl3Ciphers(ssl3Ciphers);
+
+ String tlsCiphers = config.getProperty("tlsCiphers");
+ if (tlsCiphers != null)
+ setTlsCiphers(tlsCiphers);
+ }
+
+ public void loadTomcatConfig(String serverXml) throws Exception {
+ File configFile = new File(serverXml);
+ loadTomcatConfig(configFile);
+ }
+
+ public void loadTomcatConfig(File configFile) throws Exception {
+
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilder builder = factory.newDocumentBuilder();
+ Document document = builder.parse(configFile);
+
+ loadTomcatConfig(document);
+ }
+
+ public void loadTomcatConfig(Document document) throws Exception {
+
+ XPathFactory xPathfactory = XPathFactory.newInstance();
+ XPath xpath = xPathfactory.newXPath();
+
+ Element connector = (Element) xpath.evaluate(
+ "/Server/Service[@name='Catalina']/Connector[@SSLEnabled='true']",
+ document, XPathConstants.NODE);
+
+ String certDb = connector.getAttribute("certdbDir");
+ if (certDb != null)
+ setCertdbDir(certDb);
+
+ String passwordClass = connector.getAttribute("passwordClass");
+ if (passwordClass != null)
+ setPasswordClass(passwordClass);
+
+ String passwordFile = connector.getAttribute("passwordFile");
+ if (passwordFile != null)
+ setPasswordFile(passwordFile);
+
+ String serverCertNickFile = connector.getAttribute("serverCertNickFile");
+ if (serverCertNickFile != null)
+ setServerCertNickFile(serverCertNickFile);
+
+ String enableOCSP = connector.getAttribute("enableOCSP");
+ if (enableOCSP != null)
+ setEnableOCSP(Boolean.parseBoolean(enableOCSP));
+
+ String ocspResponderURL = connector.getAttribute("ocspResponderURL");
+ if (ocspResponderURL != null)
+ setOcspResponderURL(ocspResponderURL);
+
+ String ocspResponderCertNickname = connector.getAttribute("ocspResponderCertNickname");
+ if (ocspResponderCertNickname != null)
+ setOcspResponderCertNickname(ocspResponderCertNickname);
+
+ String ocspCacheSize = connector.getAttribute("ocspCacheSize");
+ if (StringUtils.isNotEmpty(ocspCacheSize))
+ setOcspCacheSize(Integer.parseInt(ocspCacheSize));
+
+ String ocspMinCacheEntryDuration = connector.getAttribute("ocspMinCacheEntryDuration");
+ if (StringUtils.isNotEmpty(ocspMinCacheEntryDuration))
+ setOcspMinCacheEntryDuration(Integer.parseInt(ocspMinCacheEntryDuration));
+
+ String ocspMaxCacheEntryDuration = connector.getAttribute("ocspMaxCacheEntryDuration");
+ if (StringUtils.isNotEmpty(ocspMaxCacheEntryDuration))
+ setOcspMaxCacheEntryDuration(Integer.parseInt(ocspMaxCacheEntryDuration));
+
+ String ocspTimeout = connector.getAttribute("ocspTimeout");
+ if (StringUtils.isNotEmpty(ocspTimeout))
+ setOcspTimeout(Integer.parseInt(ocspTimeout));
+
+ String strictCiphers = connector.getAttribute("strictCiphers");
+ if (strictCiphers != null)
+ setStrictCiphers(strictCiphers);
+
+ String sslVersionRangeStream = connector.getAttribute("sslVersionRangeStream");
+ if (sslVersionRangeStream != null)
+ setSslVersionRangeStream(sslVersionRangeStream);
+
+ String sslVersionRangeDatagram = connector.getAttribute("sslVersionRangeDatagram");
+ if (sslVersionRangeDatagram != null)
+ setSslVersionRangeDatagram(sslVersionRangeDatagram);
+
+ String sslRangeCiphers = connector.getAttribute("sslRangeCiphers");
+ if (sslRangeCiphers != null)
+ setSslRangeCiphers(sslRangeCiphers);
+
+ String sslOptions = connector.getAttribute("sslOptions");
+ if (sslOptions != null)
+ setSslOptions(sslOptions);
+
+ String ssl2Ciphers = connector.getAttribute("ssl2Ciphers");
+ if (ssl2Ciphers != null)
+ setSsl2Ciphers(ssl2Ciphers);
+
+ String ssl3Ciphers = connector.getAttribute("ssl3Ciphers");
+ if (ssl3Ciphers != null)
+ setSsl3Ciphers(ssl3Ciphers);
+
+ String tlsCiphers = connector.getAttribute("tlsCiphers");
+ if (tlsCiphers != null)
+ setTlsCiphers(tlsCiphers);
+ }
+
public void init() throws Exception {
if (initialized) {
=====================================
src/org/dogtagpki/tomcat/JSSKeyManager.java deleted
=====================================
@@ -1,146 +0,0 @@
-/* BEGIN COPYRIGHT BLOCK
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- *
- * Copyright (C) 2017 Red Hat, Inc.
- * All rights reserved.
- * END COPYRIGHT BLOCK */
-
-package org.dogtagpki.tomcat;
-
-import java.net.Socket;
-import java.security.Principal;
-import java.security.PrivateKey;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Collection;
-
-import javax.net.ssl.X509KeyManager;
-
-import org.mozilla.jss.CryptoManager;
-import org.mozilla.jss.crypto.ObjectNotFoundException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import sun.security.x509.X509CertImpl;
-
-public class JSSKeyManager implements X509KeyManager {
-
- final static Logger logger = LoggerFactory.getLogger(JSSKeyManager.class);
-
- @Override
- public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) {
- logger.debug("JSSKeyManager: chooseClientAlias()");
-
- logger.debug("JSSKeyManager: key types:");
- for (String keyType : keyTypes) {
- logger.debug("JSSKeyManager: - " + keyType);
- }
-
- logger.debug("JSSKeyManager: issuers:");
- for (Principal issuer : issuers) {
- logger.debug("JSSKeyManager: - " + issuer.getName());
- }
-
- return null; // not implemented
- }
-
- @Override
- public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
- logger.debug("JSSKeyManager: chooseServerAlias()");
- logger.debug("JSSKeyManager: key type: " + keyType);
-
- logger.debug("JSSKeyManager: issuers:");
- for (Principal issuer : issuers) {
- logger.debug("JSSKeyManager: - " + issuer.getName());
- }
-
- return null; // not implemented
- }
-
- @Override
- public X509Certificate[] getCertificateChain(String alias) {
-
- logger.debug("JSSKeyManager: getCertificateChain(" + alias + ")");
-
- try {
- CryptoManager cm = CryptoManager.getInstance();
- org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias);
-
- org.mozilla.jss.crypto.X509Certificate[] chain = cm.buildCertificateChain(cert);
- logger.debug("JSSKeyManager: cert chain:");
-
- Collection<X509Certificate> list = new ArrayList<>();
- for (org.mozilla.jss.crypto.X509Certificate c : chain) {
- logger.debug("JSSKeyManager: - " + c.getSubjectDN());
- list.add(new X509CertImpl(c.getEncoded()));
- }
-
- return list.toArray(new X509Certificate[list.size()]);
-
- } catch (Throwable e) {
- logger.error(e.getMessage(), e);
- throw new RuntimeException(e);
- }
- }
-
- @Override
- public String[] getClientAliases(String keyType, Principal[] issuers) {
- logger.debug("JSSKeyManager: getClientAliases()");
- logger.debug("JSSKeyManager: key type: " + keyType);
-
- logger.debug("JSSKeyManager: issuers:");
- for (Principal issuer : issuers) {
- logger.debug("JSSKeyManager: - " + issuer.getName());
- }
-
- return null; // not implemented
- }
-
- @Override
- public PrivateKey getPrivateKey(String alias) {
-
- logger.debug("JSSKeyManager: getPrivateKey(" + alias + ")");
-
- try {
- CryptoManager cm = CryptoManager.getInstance();
- org.mozilla.jss.crypto.X509Certificate cert = cm.findCertByNickname(alias);
- PrivateKey privateKey = cm.findPrivKeyByCert(cert);
-
- logger.debug("JSSKeyManager: key found: " + alias);
- return privateKey;
-
- } catch (ObjectNotFoundException e) {
- logger.debug("JSSKeyManager: key not found: " + alias);
- return null;
-
- } catch (Throwable e) {
- logger.error(e.getMessage(), e);
- throw new RuntimeException(e);
- }
- }
-
- @Override
- public String[] getServerAliases(String keyType, Principal[] issuers) {
- logger.debug("JSSKeyManager: getServerAliases()");
- logger.debug("JSSKeyManager: key type: " + keyType);
-
- logger.debug("JSSKeyManager: issuers:");
- for (Principal issuer : issuers) {
- logger.debug("JSSKeyManager: - " + issuer.getName());
- }
-
- return null; // not implemented
- }
-}
=====================================
src/org/dogtagpki/tomcat/JSSListener.java
=====================================
@@ -20,24 +20,13 @@
package org.dogtagpki.tomcat;
import java.io.File;
-import java.io.FileReader;
-import java.util.Properties;
-
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.xpath.XPath;
-import javax.xml.xpath.XPathConstants;
-import javax.xml.xpath.XPathFactory;
import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleEvent;
import org.apache.catalina.LifecycleListener;
-import org.apache.commons.lang.StringUtils;
import org.apache.tomcat.util.net.jss.TomcatJSS;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.w3c.dom.Document;
-import org.w3c.dom.Element;
public class JSSListener implements LifecycleListener {
@@ -66,195 +55,28 @@ public class JSSListener implements LifecycleListener {
public void initJSS() {
logger.info("JSSListener: Initializing JSS");
- logger.info("JSSListener: Config: " + configFile);
try {
- if (configFile != null) {
- loadJSSConfig();
+ TomcatJSS tomcatjss = TomcatJSS.getInstance();
+
+ String catalinaBase = System.getProperty("catalina.base");
+ String jssConf = catalinaBase + "/conf/jss.conf";
+ File configFile = new File(jssConf);
+
+ if (configFile.exists()) {
+ logger.info("JSSListener: Loading JSS configuration from " + jssConf);
+ tomcatjss.loadJSSConfig(configFile);
+
} else {
- loadServerXml();
+ String serverXml = catalinaBase + "/conf/server.xml";
+ logger.info("JSSListener: Loading JSS configuration from " + serverXml);
+ tomcatjss.loadTomcatConfig(serverXml);
}
- TomcatJSS tomcatjss = TomcatJSS.getInstance();
tomcatjss.init();
} catch (Exception e) {
throw new RuntimeException(e);
}
}
-
- public void loadJSSConfig() throws Exception {
-
- Properties properties = new Properties();
- properties.load(new FileReader(configFile));
-
- TomcatJSS tomcatjss = TomcatJSS.getInstance();
-
- String certDb = properties.getProperty("certdbDir");
- if (certDb != null)
- tomcatjss.setCertdbDir(certDb);
-
- String passwordClass = properties.getProperty("passwordClass");
- if (passwordClass != null)
- tomcatjss.setPasswordClass(passwordClass);
-
- String passwordFile = properties.getProperty("passwordFile");
- if (passwordFile != null)
- tomcatjss.setPasswordFile(passwordFile);
-
- String enableOCSP = properties.getProperty("enableOCSP");
- if (enableOCSP != null)
- tomcatjss.setEnableOCSP(Boolean.parseBoolean(enableOCSP));
-
- String ocspResponderURL = properties.getProperty("ocspResponderURL");
- if (ocspResponderURL != null)
- tomcatjss.setOcspResponderURL(ocspResponderURL);
-
- String ocspResponderCertNickname = properties.getProperty("ocspResponderCertNickname");
- if (ocspResponderCertNickname != null)
- tomcatjss.setOcspResponderCertNickname(ocspResponderCertNickname);
-
- String ocspCacheSize = properties.getProperty("ocspCacheSize");
- if (StringUtils.isNotEmpty(ocspCacheSize))
- tomcatjss.setOcspCacheSize(Integer.parseInt(ocspCacheSize));
-
- String ocspMinCacheEntryDuration = properties.getProperty("ocspMinCacheEntryDuration");
- if (StringUtils.isNotEmpty(ocspMinCacheEntryDuration))
- tomcatjss.setOcspMinCacheEntryDuration(Integer.parseInt(ocspMinCacheEntryDuration));
-
- String ocspMaxCacheEntryDuration = properties.getProperty("ocspMaxCacheEntryDuration");
- if (StringUtils.isNotEmpty(ocspMaxCacheEntryDuration))
- tomcatjss.setOcspMaxCacheEntryDuration(Integer.parseInt(ocspMaxCacheEntryDuration));
-
- String ocspTimeout = properties.getProperty("ocspTimeout");
- if (StringUtils.isNotEmpty(ocspTimeout))
- tomcatjss.setOcspTimeout(Integer.parseInt(ocspTimeout));
-
- String strictCiphers = properties.getProperty("strictCiphers");
- if (strictCiphers != null)
- tomcatjss.setStrictCiphers(strictCiphers);
-
- String sslVersionRangeStream = properties.getProperty("sslVersionRangeStream");
- if (sslVersionRangeStream != null)
- tomcatjss.setSslVersionRangeStream(sslVersionRangeStream);
-
- String sslVersionRangeDatagram = properties.getProperty("sslVersionRangeDatagram");
- if (sslVersionRangeDatagram != null)
- tomcatjss.setSslVersionRangeDatagram(sslVersionRangeDatagram);
-
- String sslRangeCiphers = properties.getProperty("sslRangeCiphers");
- if (sslRangeCiphers != null)
- tomcatjss.setSslRangeCiphers(sslRangeCiphers);
-
- String sslOptions = properties.getProperty("sslOptions");
- if (sslOptions != null)
- tomcatjss.setSslOptions(sslOptions);
-
- String ssl2Ciphers = properties.getProperty("ssl2Ciphers");
- if (ssl2Ciphers != null)
- tomcatjss.setSsl2Ciphers(ssl2Ciphers);
-
- String ssl3Ciphers = properties.getProperty("ssl3Ciphers");
- if (ssl3Ciphers != null)
- tomcatjss.setSsl3Ciphers(ssl3Ciphers);
-
- String tlsCiphers = properties.getProperty("tlsCiphers");
- if (tlsCiphers != null)
- tomcatjss.setTlsCiphers(tlsCiphers);
- }
-
- public void loadServerXml() throws Exception {
-
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
- DocumentBuilder builder = factory.newDocumentBuilder();
-
- String catalinaBase = System.getProperty("catalina.base");
- File file = new File(catalinaBase + "/conf/server.xml");
- Document doc = builder.parse(file);
-
- XPathFactory xPathfactory = XPathFactory.newInstance();
- XPath xpath = xPathfactory.newXPath();
-
- Element connector = (Element) xpath.evaluate(
- "/Server/Service[@name='Catalina']/Connector[@SSLEnabled='true']",
- doc, XPathConstants.NODE);
-
- TomcatJSS tomcatjss = TomcatJSS.getInstance();
-
- String certDb = connector.getAttribute("certdbDir");
- if (certDb != null)
- tomcatjss.setCertdbDir(certDb);
-
- String passwordClass = connector.getAttribute("passwordClass");
- if (passwordClass != null)
- tomcatjss.setPasswordClass(passwordClass);
-
- String passwordFile = connector.getAttribute("passwordFile");
- if (passwordFile != null)
- tomcatjss.setPasswordFile(passwordFile);
-
- String serverCertNickFile = connector.getAttribute("serverCertNickFile");
- if (serverCertNickFile != null)
- tomcatjss.setServerCertNickFile(serverCertNickFile);
-
- String enableOCSP = connector.getAttribute("enableOCSP");
- if (enableOCSP != null)
- tomcatjss.setEnableOCSP(Boolean.parseBoolean(enableOCSP));
-
- String ocspResponderURL = connector.getAttribute("ocspResponderURL");
- if (ocspResponderURL != null)
- tomcatjss.setOcspResponderURL(ocspResponderURL);
-
- String ocspResponderCertNickname = connector.getAttribute("ocspResponderCertNickname");
- if (ocspResponderCertNickname != null)
- tomcatjss.setOcspResponderCertNickname(ocspResponderCertNickname);
-
- String ocspCacheSize = connector.getAttribute("ocspCacheSize");
- if (StringUtils.isNotEmpty(ocspCacheSize))
- tomcatjss.setOcspCacheSize(Integer.parseInt(ocspCacheSize));
-
- String ocspMinCacheEntryDuration = connector.getAttribute("ocspMinCacheEntryDuration");
- if (StringUtils.isNotEmpty(ocspMinCacheEntryDuration))
- tomcatjss.setOcspMinCacheEntryDuration(Integer.parseInt(ocspMinCacheEntryDuration));
-
- String ocspMaxCacheEntryDuration = connector.getAttribute("ocspMaxCacheEntryDuration");
- if (StringUtils.isNotEmpty(ocspMaxCacheEntryDuration))
- tomcatjss.setOcspMaxCacheEntryDuration(Integer.parseInt(ocspMaxCacheEntryDuration));
-
- String ocspTimeout = connector.getAttribute("ocspTimeout");
- if (StringUtils.isNotEmpty(ocspTimeout))
- tomcatjss.setOcspTimeout(Integer.parseInt(ocspTimeout));
-
- String strictCiphers = connector.getAttribute("strictCiphers");
- if (strictCiphers != null)
- tomcatjss.setStrictCiphers(strictCiphers);
-
- String sslVersionRangeStream = connector.getAttribute("sslVersionRangeStream");
- if (sslVersionRangeStream != null)
- tomcatjss.setSslVersionRangeStream(sslVersionRangeStream);
-
- String sslVersionRangeDatagram = connector.getAttribute("sslVersionRangeDatagram");
- if (sslVersionRangeDatagram != null)
- tomcatjss.setSslVersionRangeDatagram(sslVersionRangeDatagram);
-
- String sslRangeCiphers = connector.getAttribute("sslRangeCiphers");
- if (sslRangeCiphers != null)
- tomcatjss.setSslRangeCiphers(sslRangeCiphers);
-
- String sslOptions = connector.getAttribute("sslOptions");
- if (sslOptions != null)
- tomcatjss.setSslOptions(sslOptions);
-
- String ssl2Ciphers = connector.getAttribute("ssl2Ciphers");
- if (ssl2Ciphers != null)
- tomcatjss.setSsl2Ciphers(ssl2Ciphers);
-
- String ssl3Ciphers = connector.getAttribute("ssl3Ciphers");
- if (ssl3Ciphers != null)
- tomcatjss.setSsl3Ciphers(ssl3Ciphers);
-
- String tlsCiphers = connector.getAttribute("tlsCiphers");
- if (tlsCiphers != null)
- tomcatjss.setTlsCiphers(tlsCiphers);
- }
}
=====================================
src/org/dogtagpki/tomcat/JSSTrustManager.java deleted
=====================================
@@ -1,197 +0,0 @@
-/* BEGIN COPYRIGHT BLOCK
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- *
- * Copyright (C) 2017 Red Hat, Inc.
- * All rights reserved.
- * END COPYRIGHT BLOCK */
-
-package org.dogtagpki.tomcat;
-
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.List;
-
-import javax.net.ssl.X509TrustManager;
-
-import org.mozilla.jss.CryptoManager;
-import org.mozilla.jss.NotInitializedException;
-import org.mozilla.jss.netscape.security.util.Cert;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import sun.security.x509.X509CertImpl;
-
-public class JSSTrustManager implements X509TrustManager {
-
- final static Logger logger = LoggerFactory.getLogger(JSSTrustManager.class);
-
- final static String SERVER_AUTH_OID = "1.3.6.1.5.5.7.3.1";
- final static String CLIENT_AUTH_OID = "1.3.6.1.5.5.7.3.2";
-
- public void checkCertChain(X509Certificate[] certChain, String keyUsage) throws Exception {
-
- logger.debug("JSSTrustManager: checkCertChain(" + keyUsage + ")");
-
- // sort cert chain from root to leaf
- certChain = Cert.sortCertificateChain(certChain);
-
- for (X509Certificate cert : certChain) {
- logger.debug("JSSTrustManager: - " + cert.getSubjectDN());
- }
-
- // get CA certs
- X509Certificate[] caCerts = getAcceptedIssuers();
-
- // validating cert chain from root to leaf
- for (int i = 0; i < certChain.length; i++) {
-
- X509Certificate cert = certChain[i];
-
- // validating key usage on leaf cert only
- String usage;
- if (i == certChain.length - 1) {
- usage = keyUsage;
- } else {
- usage = null;
- }
-
- checkCert(cert, caCerts, usage);
-
- // use the current cert as the CA cert for the next cert in the chain
- caCerts = new X509Certificate[] { cert };
- }
- }
-
- public void checkCert(X509Certificate cert, X509Certificate[] caCerts, String keyUsage) throws Exception {
-
- logger.debug("JSSTrustManager: checkCert(" + cert.getSubjectDN() + "):");
-
- boolean[] aki = cert.getIssuerUniqueID();
- logger.debug("JSSTrustManager: cert AKI: " + Arrays.toString(aki));
-
- X509Certificate issuer = null;
- for (X509Certificate caCert : caCerts) {
-
- boolean[] ski = caCert.getSubjectUniqueID();
- logger.debug("JSSTrustManager: SKI of " + caCert.getSubjectDN() + ": " + Arrays.toString(ski));
-
- try {
- cert.verify(caCert.getPublicKey(), "Mozilla-JSS");
- issuer = caCert;
- break;
- } catch (Exception e) {
- logger.debug("JSSTrustManager: invalid certificate: " + e);
- }
- }
-
- if (issuer == null) {
- throw new CertificateException("Unable to validate signature: " + cert.getSubjectDN());
- }
-
- logger.debug("JSSTrustManager: cert signed by " + issuer.getSubjectDN());
-
- logger.debug("JSSTrustManager: checking validity range:");
- logger.debug("JSSTrustManager: - not before: " + cert.getNotBefore());
- logger.debug("JSSTrustManager: - not after: " + cert.getNotAfter());
- cert.checkValidity();
-
- if (keyUsage != null) {
-
- List<String> extendedKeyUsages = cert.getExtendedKeyUsage();
- logger.debug("JSSTrustManager: checking extended key usages:");
-
- for (String extKeyUsage : extendedKeyUsages) {
- logger.debug("JSSTrustManager: - " + extKeyUsage);
- }
-
- if (extendedKeyUsages.contains(keyUsage)) {
- logger.debug("JSSTrustManager: extended key usage found: " + keyUsage);
- } else {
- throw new CertificateException("Missing extended key usage: " + keyUsage);
- }
- }
- }
-
- @Override
- public void checkClientTrusted(X509Certificate[] certChain, String authType) throws CertificateException {
-
- logger.debug("JSSTrustManager: checkClientTrusted(" + authType + "):");
-
- try {
- checkCertChain(certChain, CLIENT_AUTH_OID);
- logger.debug("JSSTrustManager: SSL client certificate is valid");
-
- } catch (CertificateException e) {
- logger.warn("JSSTrustManager: Invalid SSL client certificate: " + e);
- throw e;
-
- } catch (Exception e) {
- logger.warn("JSSTrustManager: Unable to validate certificate: " + e);
- throw new CertificateException(e);
- }
- }
-
- @Override
- public void checkServerTrusted(X509Certificate[] certChain, String authType) throws CertificateException {
-
- logger.debug("JSSTrustManager: checkServerTrusted(" + certChain.length + ", " + authType + "):");
-
- try {
- checkCertChain(certChain, SERVER_AUTH_OID);
- logger.debug("JSSTrustManager: SSL server certificate is valid");
-
- } catch (CertificateException e) {
- logger.warn("JSSTrustManager: Invalid SSL server certificate: " + e);
- throw e;
-
- } catch (Exception e) {
- logger.warn("JSSTrustManager: Unable to validate SSL server certificate: " + e);
- throw new CertificateException(e);
- }
- }
-
- @Override
- public X509Certificate[] getAcceptedIssuers() {
-
- logger.debug("JSSTrustManager: getAcceptedIssuers():");
-
- Collection<X509Certificate> caCerts = new ArrayList<>();
-
- try {
- CryptoManager manager = CryptoManager.getInstance();
- for (org.mozilla.jss.crypto.X509Certificate cert : manager.getCACerts()) {
- logger.debug("JSSTrustManager: - " + cert.getSubjectDN());
-
- try {
- X509CertImpl caCert = new X509CertImpl(cert.getEncoded());
- caCert.checkValidity();
- caCerts.add(caCert);
-
- } catch (Exception e) {
- logger.debug("JSSTrustManager: invalid CA certificate: " + e);
- }
- }
-
- } catch (NotInitializedException e) {
- logger.error("JSSTrustManager: Unable to get CryptoManager: " + e, e);
- throw new RuntimeException(e);
- }
-
- return caCerts.toArray(new X509Certificate[caCerts.size()]);
- }
-}
=====================================
tomcat-8.5/src/org/dogtagpki/tomcat/JSSContext.java
=====================================
@@ -0,0 +1,117 @@
+package org.dogtagpki.tomcat;
+
+import java.security.Provider;
+import java.security.KeyManagementException;
+import java.security.SecureRandom;
+import java.security.Security;
+import java.util.List;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+
+import org.apache.tomcat.util.net.SSLContext;
+
+import org.mozilla.jss.JSSProvider;
+import org.mozilla.jss.provider.javax.crypto.JSSKeyManager;
+import org.mozilla.jss.provider.javax.crypto.JSSTrustManager;
+import org.mozilla.jss.ssl.javax.JSSEngine;
+import org.mozilla.jss.ssl.javax.JSSParameters;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class JSSContext implements org.apache.tomcat.util.net.SSLContext {
+ public static Logger logger = LoggerFactory.getLogger(JSSContext.class);
+
+ private javax.net.ssl.SSLContext ctx;
+ private String alias;
+
+ private JSSKeyManager jkm;
+ private JSSTrustManager jtm;
+
+ public JSSContext(String alias) {
+ logger.debug("JSSContext(" + alias + ")");
+ this.alias = alias;
+
+ /* These KeyManagers and TrustManagers aren't used with the SSLEngine;
+ * they're only used to implement certain function calls below. */
+ try {
+ KeyManagerFactory kmf = KeyManagerFactory.getInstance("NssX509", "Mozilla-JSS");
+ jkm = (JSSKeyManager) kmf.getKeyManagers()[0];
+
+ TrustManagerFactory tmf = TrustManagerFactory.getInstance("NssX509", "Mozilla-JSS");
+ jtm = (JSSTrustManager) tmf.getTrustManagers()[0];
+ } catch (Exception e) {
+ throw new RuntimeException(e.getMessage(), e);
+ }
+ }
+
+ public void init(KeyManager[] kms, TrustManager[] tms, SecureRandom sr) throws KeyManagementException {
+ logger.debug("JSSContext.init(...)");
+
+ try {
+ String provider = "SunJSSE";
+ if (JSSProvider.ENABLE_JSSENGINE) {
+ provider = "Mozilla-JSS";
+ }
+
+ ctx = javax.net.ssl.SSLContext.getInstance("TLS", provider);
+ ctx.init(kms, tms, sr);
+ } catch (Exception e) {
+ throw new KeyManagementException(e.getMessage(), e);
+ }
+ }
+
+ public javax.net.ssl.SSLEngine createSSLEngine() {
+ logger.debug("JSSContext.createSSLEngine()");
+ javax.net.ssl.SSLEngine eng = ctx.createSSLEngine();
+
+ if (eng instanceof JSSEngine) {
+ JSSEngine j_eng = (JSSEngine) eng;
+ j_eng.setCertFromAlias(alias);
+ }
+
+ return eng;
+ }
+
+ public javax.net.ssl.SSLSessionContext getServerSessionContext() {
+ logger.debug("JSSContext.getServerSessionContext()");
+ return ctx.getServerSessionContext();
+ }
+
+ public javax.net.ssl.SSLServerSocketFactory getServerSocketFactory() {
+ logger.debug("JSSContext.getServerSocketFactory()");
+ return ctx.getServerSocketFactory();
+ }
+
+ public javax.net.ssl.SSLParameters getSupportedSSLParameters() {
+ logger.debug("JSSContext.getSupportedSSLParameters()");
+ return ctx.getSupportedSSLParameters();
+ }
+
+ public java.security.cert.X509Certificate[] getCertificateChain(java.lang.String alias) {
+ logger.debug("JSSContext.getCertificateChain(" + alias + ")");
+
+ try {
+ return jkm.getCertificateChain(alias);
+ } catch (Exception e) {
+ throw new RuntimeException(e.getMessage(), e);
+ }
+ }
+
+ public java.security.cert.X509Certificate[] getAcceptedIssuers() {
+ logger.debug("JSSContext.getAcceptedIssuers()");
+
+ try {
+ return jtm.getAcceptedIssuers();
+ } catch (Exception e) {
+ throw new RuntimeException(e.getMessage(), e);
+ }
+ }
+
+ public void destroy() {
+ logger.debug("JSSContext.destory()");
+ }
+}
=====================================
tomcat-8.5/src/org/dogtagpki/tomcat/JSSImplementation.java
=====================================
@@ -19,14 +19,19 @@
package org.dogtagpki.tomcat;
+import javax.net.ssl.SSLSession;
+
+import org.apache.tomcat.util.net.jsse.JSSESupport;
import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
+import org.apache.tomcat.util.net.SSLImplementation;
+import org.apache.tomcat.util.net.SSLSupport;
import org.apache.tomcat.util.net.SSLUtil;
-import org.apache.tomcat.util.net.jsse.JSSEImplementation;
+
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-public class JSSImplementation extends JSSEImplementation {
+public class JSSImplementation extends SSLImplementation {
public static Logger logger = LoggerFactory.getLogger(JSSUtil.class);
@@ -34,6 +39,12 @@ public class JSSImplementation extends JSSEImplementation {
logger.debug("JSSImplementation: instance created");
}
+ @Override
+ public SSLSupport getSSLSupport(SSLSession session) {
+ logger.debug("JSSImplementation.getSSLSupport()");
+ return new JSSESupport(session);
+ }
+
@Override
public SSLUtil getSSLUtil(SSLHostConfigCertificate cert) {
logger.debug("JSSImplementation: getSSLUtil()");
@@ -47,4 +58,10 @@ public class JSSImplementation extends JSSEImplementation {
return new JSSUtil(cert);
}
+
+ @Override
+ public boolean isAlpnSupported() {
+ // NSS supports ALPN but JSS doesn't yet support ALPN.
+ return false;
+ }
}
=====================================
tomcat-8.5/src/org/dogtagpki/tomcat/JSSUtil.java
=====================================
@@ -19,35 +19,118 @@
package org.dogtagpki.tomcat;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+import java.util.Set;
+import java.util.HashSet;
+
import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.SSLEngine;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.apache.tomcat.util.net.jsse.JSSEKeyManager;
-import org.apache.tomcat.util.net.jsse.JSSEUtil;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import org.apache.tomcat.util.net.SSLContext;
+import org.apache.tomcat.util.net.SSLUtil;
+import org.apache.tomcat.util.net.SSLUtilBase;
+
+import org.mozilla.jss.JSSProvider;
+import org.mozilla.jss.crypto.Policy;
+import org.mozilla.jss.provider.javax.crypto.JSSNativeTrustManager;
+import org.mozilla.jss.ssl.SSLCipher;
+import org.mozilla.jss.ssl.SSLVersion;
-public class JSSUtil extends JSSEUtil {
+public class JSSUtil extends SSLUtilBase {
+ public static Log logger = LogFactory.getLog(JSSUtil.class);
- public static Logger logger = LoggerFactory.getLogger(JSSUtil.class);
+ private String keyAlias;
+
+ private SSLEngine engine;
+ private Set<String> protocols;
+ private Set<String> ciphers;
public JSSUtil(SSLHostConfigCertificate cert) {
super(cert);
+
+ keyAlias = certificate.getCertificateKeyAlias();
logger.debug("JSSUtil: instance created");
}
+ private void init() {
+ if (engine != null) {
+ return;
+ }
+
+ try {
+ JSSContext ctx = new JSSContext(null);
+ ctx.init(null, null, null);
+ engine = ctx.createSSLEngine();
+ } catch (Exception e) {
+ throw new RuntimeException(e.getMessage(), e);
+ }
+
+ protocols = Collections.unmodifiableSet(
+ new HashSet<String>(Arrays.asList(engine.getSupportedProtocols()))
+ );
+
+ ciphers = Collections.unmodifiableSet(
+ new HashSet<String>(Arrays.asList(engine.getSupportedCipherSuites()))
+ );
+ }
+
@Override
public KeyManager[] getKeyManagers() throws Exception {
logger.debug("JSSUtil: getKeyManagers()");
- String keyAlias = certificate.getCertificateKeyAlias();
- KeyManager keyManager = new JSSEKeyManager(new JSSKeyManager(), keyAlias);
- return new KeyManager[] { keyManager };
+ KeyManagerFactory jkm = KeyManagerFactory.getInstance("NssX509", "Mozilla-JSS");
+ return jkm.getKeyManagers();
}
@Override
public TrustManager[] getTrustManagers() throws Exception {
logger.debug("JSSUtil: getTrustManagers()");
- return new TrustManager[] { new JSSTrustManager() };
+ if (!JSSProvider.ENABLE_JSSENGINE) {
+ TrustManagerFactory tmf = TrustManagerFactory.getInstance("NssX509");
+ return tmf.getTrustManagers();
+ }
+
+ return new TrustManager[] { new JSSNativeTrustManager() };
+ }
+
+ @Override
+ public SSLContext createSSLContextInternal(List<String> negotiableProtocols) throws Exception {
+ logger.debug("JSSUtil createSSLContextInternal(...) keyAlias=" + keyAlias);
+ return new JSSContext(keyAlias);
+ }
+
+ @Override
+ public boolean isTls13RenegAuthAvailable() {
+ logger.debug("JSSUtil: isTls13RenegAuthAvailable()");
+ return true;
+ }
+
+ @Override
+ public Log getLog() {
+ logger.debug("JSSUtil: getLog()");
+ return logger;
+ }
+
+ @Override
+ protected Set<String> getImplementedProtocols() {
+ logger.debug("JSSUtil: getImplementedProtocols()");
+ init();
+ return protocols;
+ }
+
+ @Override
+ protected Set<String> getImplementedCiphers() {
+ logger.debug("JSSUtil: getImplementedCiphers()");
+ init();
+
+ return ciphers;
}
}
=====================================
tomcatjss.spec
=====================================
@@ -7,9 +7,9 @@ URL: http://www.dogtagpki.org/wiki/TomcatJSS
License: LGPLv2+
BuildArch: noarch
-Version: 7.4.0
+Version: 7.5.0
Release: 1%{?_timestamp}%{?_commit_id}%{?dist}
-# global _phase -a1
+#global _phase -a1
# To generate the source tarball:
# $ git clone https://github.com/dogtagpki/tomcatjss.git
@@ -57,7 +57,7 @@ BuildRequires: slf4j-jdk14
%if 0%{?rhel} && 0%{?rhel} <= 7
BuildRequires: jss >= 4.4.0-7
%else
-BuildRequires: jss >= 4.5.3
+BuildRequires: jss >= 4.7.0
%endif
# Tomcat
@@ -104,7 +104,7 @@ Requires: slf4j-jdk14
%if 0%{?rhel} && 0%{?rhel} <= 7
Requires: jss >= 4.4.0-7
%else
-Requires: jss >= 4.5.3
+Requires: jss >= 4.7.0
%endif
# Tomcat
@@ -126,12 +126,6 @@ Requires: tomcat >= 1:9.0.7
%endif
%endif
-# The 'tomcatjss' package conflicts with the 'tomcat-native' package
-# because it uses an underlying NSS security model rather than the
-# OpenSSL security model, so these two packages may not co-exist.
-# (see Bugzilla Bug #441974 for details)
-Conflicts: tomcat-native
-
# PKI
Conflicts: pki-base < 10.6.5
@@ -182,6 +176,8 @@ ant -f build.xml \
%files
################################################################################
+%license LICENSE
+
%defattr(-,root,root)
%doc README
%doc LICENSE
View it on GitLab: https://salsa.debian.org/freeipa-team/tomcatjss/-/compare/cd558e53c879640fbc0bc5d23ab577b2938985f9...73ec485eca5c93712f18a23567671e525d13c26c
--
View it on GitLab: https://salsa.debian.org/freeipa-team/tomcatjss/-/compare/cd558e53c879640fbc0bc5d23ab577b2938985f9...73ec485eca5c93712f18a23567671e525d13c26c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20200728/4c6993ae/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list